Control: How does an enterprise vet the security mindfulness of contractors with which it engages?
Scott: Third parties probably try their best to perform their duties in a secure manner, but more importantly it is the enterprise’s responsibility to institute proper security and limitations on access, and to monitor all activity. It is best practice to assume that your third parties have little to no mindfulness of their security and that any one of them with access to the enterprise could be an avenue for cyber-threat.
Control: What is the most common type of network attack via third parties? What's the defense?
Scott: Today, the most common type of attack is performed with stolen credentials via phishing or social engineering. Because the bad actor looks like the real person to the system, your best defense is to segment (limit) access to only the systems, applications or even down to the specific functions within applications that they need to perform their job. Monitor their activity and keep an eye out for anything unusual. If the third party only requires monitoring access, then create a one-way push of data out to them, rather than allowing access into your systems. That would completely eliminate any chance of compromising your network via the third party.
Control: What particular challenges does the industrial space face regarding security?
Scott: Industrial enterprises are less prepared than many other sectors. For example, most industrial systems are not designed with security in mind. Industrial organizations are less regulated from a cyber-perspective than other industries like healthcare and telecom. OT systems were traditionally disconnected from IT systems and the rest of the enterprise, which meant no money was spent to protect them. And, frankly, a lot of the systems in use are aging and/or not up to date regarding software/patching. Now that they’re becoming more connected, these organizations face a growing number of threats to industrial OT systems that are relatively defenseless. Unfortunately, there’s a lot of ground to make up and a lot of plants are getting compromised.
Control: Give us some good news. What's encouraging in the world of securing industrial control systems?
Scott: There’s a clear shift happening in terms of increased awareness from a cybersecurity standpoint. More industrial control system manufacturers are integrating security functionality into their products, and more industrial organizations are taking steps to protect their OT systems and fortify their networks. There are also a lot of new, specialized cybersecurity tools on the market, some of which don’t require specialized software integrations or massive security teams to implement and maintain. Plus, regulators and the cybersecurity community are starting to take note—the DHS has released guidance to secure industrial control systems, and there are ICS cybersecurity specialists now to help these organizations protect themselves.
